I am learning about Cryptography in .NET and I wrote the following function as a test:
byte[] foo(byte[] input, string keyContainerName)
{
CngKey key = CngKey.Open(keyContainerName);
RSACng rsa = new RSACng(key);
rsa.KeySize = 2048;
byte[] v = rsa.Encrypt(input, RSAEncryptionPadding.OaepSHA512);
CngKey keyb = CngKey.Open(keyContainerName);
RSACng rsab = new RSACng(keyb);
rsab.KeySize = 2048;
return rsab.Decrypt(v, RSAEncryptionPadding.OaepSHA512);
}
When I try executing it, rsab.Decrypt() throws a Cryptographic exception with the message: "The parameter is incorrect.".
Why is this happening? Where did I go wrong?
P.S. I previously created a key pair in the KSP with CngKey.Create(). foo is called with keyContainerName beeing the keyName passed to CngKey.Create().
If you want to create an app that does symmetric and asymmetric encryption and decryption, You can try integrating ExpressSecurity library via NuGet
More info: https://github.com/sangeethnandakumar/Express-Security-Library
AES - Symetric Encryption (For files)
var password = "sangeeth123";
var inputPath = "C:\sample.txt";
var outputPath = "C:\sample.txt.aes";
//AES Encription
AESEncription.AES_Encrypt(inputPath, password);
//AES Description
AESEncription.AES_Decrypt(outputPath, password);
RSA - Asymmetric Encryption (For strings and text)
//Generate Keys
var publicKeyPath = "C:\public_key.rsa";
var privateKeyPath = "C:\private_key.rsa";
RSAEncription.MakeKey(publicKeyPath, privateKeyPath);
var input = "sangeeth"
//RSA Encription
var ciphertext = RSAEncription.EncryptString(input, publicKeyPath);
//RSA Description
input = RSAEncription.DecryptString(ciphertext, privateKeyPath);
Related
I want to create iothub device certificates from C# code. The root CA is stored in keyvault as a .pfx, fetched as a string, and then converted from base 64 in order to obtain the certificate bytes as it is required for a certificate stored in keyvault: Azure Key Vault Certificates does not have the Private Key when retrieved via IKeyVaultClient.GetCertificateAsync
I want to write a function that will take these bytes, along with a subject name (for the leaf certificate) and will create a x509 certificate (with both public and private keys) that would have the issuer as the root.
Here is what I have sketched so far:
public static X509Certificate2 GenerateCertificateBasedOnIssuer(string subjectName, byte[] issuerByteCert)
{
var issuerCertificate = new X509Certificate2(issuerByteCert);
RSA keyProvider = issuerCertificate.GetRSAPrivateKey();
CertificateRequest certificateRequest = new CertificateRequest($"CN={subjectName}", keyProvider, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
var publicOnlyDeviceCertificate = certificateRequest.Create(issuerCertificate, issuerCertificate.NotBefore, issuerCertificate.NotAfter, serialNumber.ToByteArray());
return publicOnlyDeviceCertificate; // oh no ! :(
}
The issue I am having with this solution is that the created certificate only contains a public key.
I found another solution that appears to solve my problem on another Stack Overflow question using BouncyCastle's X509V3CertificateGenerator: Generate a self-signed certificate on the fly
The issue I have with this solution is that I cannot convert my rootCA certificate's private key to an AsymmetricKeyParameter (first parameter of the X509V3CertificateGenerator.Generate method). I tried converting the issuer's key to AsymmetricKeyParameter using this solution: convert PEM encoded RSA public key to AsymmetricKeyParameter, but I got an invalid operation exception.
I was wondering if I was on the right path (as far as understanding goes) and if there is a way to generate a certificate with a private (and public key) based on the code I currently have in place.
UPDATE: I have been able to convert a private key to an AsymmetricKeyParameter by hardcoding the key as follows:
string testKey = #"-----BEGIN PRIVATE KEY-----
<THE KEY>
-----END PRIVATE KEY-----
";
var stringReader = new StringReader(testKey);
var pemReader = new PemReader(stringReader);
var pemObject = pemReader.ReadObject();
var keyParam = ((AsymmetricKeyParameter)pemObject);
Azure keyvault stores certificate in a pfx format. I am thinking of storing the private key as a secret string. I will keep testing with an hardcoded key for now until I get to a working solution.
I am now testing with BouncyCastle and will come back with a working solution if it works!
The key you pass to CertificateRequest is used as the public key in the cert... so you want to pass a new key, not the issuer's key.
Then, once you now have the subject key, you use CopyWithPrivateKey at the end to glue them back together.
public static X509Certificate2 GenerateCertificateBasedOnIssuer(string subjectName, byte[] issuerByteCert)
{
using (var issuerCertificate = new X509Certificate2(issuerByteCert))
using (RSA subjectKey = RSA.Create(2048))
{
CertificateRequest certificateRequest = new CertificateRequest($"CN={subjectName}", subjectKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
var publicOnlyDeviceCertificate = certificateRequest.Create(issuerCertificate, issuerCertificate.NotBefore, issuerCertificate.NotAfter, serialNumber.ToByteArray());
using (publicOnlyDeviceCertificate)
{
return publicOnlyDeviceCertificate.CopyWithPrivateKey(subjectKey);
}
}
My project required key recovery features where the system admin can upload RSA Key container
to restore it in the event for disaster recovery
Current implementation is when admin upload the backup RSA Key container file, the app will move it to RSA Key container folder located at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
I tried to recover the key container from server into my local machine
Key container from server :
a953858192ce652ca077837fd55e8ea2_06454689-ae14-440b-aa53-c2eaac321be6
the bold part is Server Machine ID
When the RSACryptoServiceProvider tried to access the container, it will create a new container because the key name is not contain my local machine ID, made the decryption of encrypted data from server doesn't work.
I tried to rename the machine ID to my local machine ID
a953858192ce652ca077837fd55e8ea2_fbf0b515-e8c9-450d-bc0c-4bcb55cbd342
and the RSACryptoService throw error :
"Key not valid for use in specified state."
Code implementation in C# :
try{
// Create the CspParameters object and set the key container name used to store the RSA key pair.
var parameters = new CspParameters {KeyContainerName = containerName, Flags = UseMachineKeyStore};
// Create a new instance of RSACryptoServiceProvider that accesses
// the key container Key Container Name.
using var rsaCryptoServiceProvider = new RSACryptoServiceProvider(parameters); // error thrown "Key not valid for use in specified state."
try
{
var keyContainerBlob = rsaCryptoServiceProvider.ExportCspBlob(true);
using (var rsa = System.Security.Cryptography.RSA.Create())
{
rsa.KeySize = CryptoCommonHeap.RSAEncryptionKeySize;
rsaCryptoServiceProvider.ImportCspBlob(keyContainerBlob);
var privateKeyParameters = rsaCryptoServiceProvider.ExportParameters(true).ToPrivateKeyParameters();
var privateKeyParametersJson = JsonConvert.SerializeObject(privateKeyParameters);
PrivateKeyParametersJson = privateKeyParametersJson;
}
}
finally
{
// Setting This If Do Not Want To Store The File Persistently
//rsaCryptoServiceProvider.PersistKeyInCsp = false;
}
}
catch (Exception exception)
{
LogErrorToDatabase(ModuleName, "GenerateKeyAndSaveInKeyStore", exception);
}
I hope someone can enlighten me a correct way to restore RSA key container from another machine..
I've figured out myself how to properly restore the key container. Instead of copy the key container directly from Server A to Server B, I export the private key from server A to server B in PEM format and do restoration programmatically.
Dependency : Org.Bouncycastle
First you need to export the private key of your existing key in the key container, you must ensure the RSACryptoServiceProvider is loaded with your intended key container info
//Create the CspParameters object and set the key container name used to store the RSA key pair.
var parameters = new CspParameters {KeyContainerName = containerName, Flags = UseMachineKeyStore};
// Create a new instance of RSACryptoServiceProvider that accesses
// the key container Key Container Name.
using var rsaCryptoServiceProvider = new RSACryptoServiceProvider(parameters);
Then export the key by using this :
private string ExportKey(RSACryptoServiceProvider rsa) {
var writer = new StringWriter();
var pemWriter = new PemWriter(writer);
var rsaKeyPair = DotNetUtilities.GetRsaKeyPair(rsa);
pemWriter.WriteObject(rsaKeyPair.Private);
return writer.ToString();
}
now you'll have the PEM content and save it to appropriate location :
-----BEGIN RSA PRIVATE KEY-----
MIICXwIBAAKBgQDCmI8XFUlZUwoGXl42GNzY2o6exeA51/7U0UF4u5+AAbS+h3xD
Pk1BQ5rlzwOu+a2SrbNnGlH5j/6n+kQqLcBdwVdHAF6CFaPmKf7xUEqKwo2RCoG9
zNYB5gc4youdppr4K7uLDQoVvM9xUVi09n2zg3KSigLpX3WM5k4lJWOiOQIDAQAB
AoGBAL6X58ZHDhFT+MSmFwZLMbufzQKLcoOVH73XupWCxsT8ZsgaMUY3NjmO+p7N
NKFjYHMCeG2qZNHXDCgAQlVBfF9fvA3SulymyYoHEAGY1ghAnky7PjuESYmCFDes
6BlyMBfjNtAPkvSA/VZi00VOuCl7Vg4FJLOesmZzHdoaflIlAkEA+W5NU3l+z5+d
rZkw86v+ZvmuDNv77Bh5DZJ1SjQ6uiWCV7LmMOc6eOETmV0d25UkBdAU4KpfRFXg
zcEh548t9wJBAMe4jVQFMjv2L35Kr0jsSEi+O3OPNn7UTNYWlCwv0FnzB3YBMFvA
ULDYmtduaBqchzqqleWrOGK8dOeiUyj+ZU8CQQCsMlX31tyRAaSdgDCnSIntFVnv
Tr9wksSfdgi7Haudbt+5I6x+/mMDqH8bVYmTWjbwPGLtZzE1wAPeiAKcFeCpAkEA
hW+OLRaTq3Ad5xjq56PF36QJgHmshSw+ccMAGE2RvKcc0wCUWJiy0JTHTyvarfzq
dI3IPHwa3gzfZmsTeI4PDQJBAI+LvqZzxzwf01DWgDqiJzKwt+bejtdfnPqQhjRD
rcZcM550Iwy0PCdrRTswDbloNhCfcyi1HXIvZTydMXzOueU=
-----END RSA PRIVATE KEY-----
Then regenerate key container in Server B based on key information in PEM file
public bool PrivateKeyRecovery(string pem)
{
try
{
//read key info
PemReader pr = new PemReader(new StringReader(pem));
var paramObject = pr.ReadObject();
AsymmetricCipherKeyPair KeyPair = (AsymmetricCipherKeyPair)paramObject;
RSAParameters rsaParams = DotNetUtilities.ToRSAParameters((RsaPrivateCrtKeyParameters)KeyPair.Private);
//prepare key name and csp parameters
var keyContainerName = "RestoredContainer" + DateTime.Now.ToString("yyyyMddhmm");
var parameters = new CspParameters { KeyContainerName = keyContainerName, Flags = UseMachineKeyStore };
//import csp parameters into new instance of RSACryptoServiceProvider
RSACryptoServiceProvider csp = new RSACryptoServiceProvider(parameters);
csp.ImportParameters(rsaParams);
//exporting new key container
var keyContainerBlob = csp.ExportCspBlob(true);
csp.ImportCspBlob(keyContainerBlob);
}
catch (Exception exception)
{
//your error handling
}
return false;
}
now you can decrypt data from Server A in Server B by loading the newly generated key container into RSACryptoServiceProvider.
I have a publickey certificate and a privatekey. Before adding to the x509store I want to protect the privatekey with a password.
My requirement is when I find the x509certificate2 from store using subject name I should get the certiifcate with the privatekey.But privatekey should be password protected without any ui prompt.
When creating rsacryptoservice provider I tried to attach key password to the csp params and I can able to create rsacryptoserviceprovider object.I have attached that to a x509certificate2 and added to the windows store. But after retrieving from store private key is throwing cryptographic exception.
var cspParams = new CspParameters
{
ProviderType = 1,
Flags = CspProviderFlags.UseMachineKeyStore
};
string passphrase = "password";
char[] passPhrase = passphrase.ToCharArray();
SecureString keyPassword = new SecureString();
for (int i = 0; i < passPhrase.Length; i++)
{
keyPassword.AppendChar(passPhrase[i]);
}
cspParams.KeyPassword = keyPassword;
using (RSACryptoServiceProvider rsaProvider = new RSACryptoServiceProvider(cspParams))
{
rsaProvider.ImportParameters(rsaParam);
rsaProvider.PersistKeyInCsp = true;
X509Certificate2 x509Certificate = new X509Certificate2(Convert.FromBase64String(cryptoCertificate),
"123",
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable |
X509KeyStorageFlags.PersistKeySet)
{PrivateKey = rsaProvider};
store.Add(x509Certificate);
}
The problem is here:
using (RSACryptoServiceProvider rsaProvider = new RSACryptoServiceProvider(cspParams))
{
rsaProvider.ImportParameters(rsaParam);
rsaProvider.PersistKeyInCsp = true;
X509Certificate2 x509Certificate = new X509Certificate2(<...>)
{PrivateKey = rsaProvider};
<..>
}
You are creating a new RSA asymmetric key pair and attempt to attach it to a certificate. However, this key pair is brand new and doesn't match the public key stored in certificate. Instead, you have to acquire private key handle from X509Certificate2 object and work on it, do not create new keys, it will never work.
And do not use RSACryptoServiceProvider it is dead and obsolete. Instead, you must use X509Certificate.GetRSAPrivateKey() extension method to get an instance of RSA class and extract CSP parameters from that RSA object.
I have a X509Certificate2 variable and I'm trying to cast the private key of the variable to a RSACryptoServiceProvider
RSACryptoServiceProvider pkey = (RSACryptoServiceProvider)cert.PrivateKey;
However I get this exception.
System.InvalidCastException: 'Unable to cast object of type 'System.Security.Cryptography.RSACng' to type 'System.Security.Cryptography.RSACryptoServiceProvider'.'
It's weird that this happens because other answers in SO suggested the same procedure as mine but I get an exception. Any solutions to this?
So after a few tries and discussions in the comments I came up with the following solution.
RSA rsa = (RSA)cert.PrivateKey;
(cert.PrivateKey as RSACng).Key.SetProperty(
new CngProperty(
"Export Policy",
BitConverter.GetBytes((int)CngExportPolicies.AllowPlaintextExport),
CngPropertyOptions.Persist));
RSAParameters RSAParameters = rsa.ExportParameters(true);
AsymmetricCipherKeyPair keypair = DotNetUtilities.GetRsaKeyPair(RSAParameters);
The problem was that the variable rsa wasn't exportable. To change this I set a new CngProperty for the export policy. Works perfectly now
Just wanted to note that there's also an extension method that can be used:
using System.Security.Cryptography.X509Certificates;
...
//certificate is a X509Certificate2
using (var rsa = certificate.GetRSAPrivateKey())
{
//the var rsa is an RSA object
//...
}
In my case the same problem was happening when trying to convert local store certificate to RSACryptoServiceProvider as below:
RSACryptoServiceProvider encryptProvider =
certificate.PrivateKey as RSACryptoServiceProvider;
Issue fixed by using RSA instead of RSACryptoServiceProvider.
Putting instructions here in case if someone will be curious how to do that )).
To store some certificate into your machine open Visual Studio Developer Command and type following:
makecert -n "CN=JohnDoe" -sr currentuser -ss someCertStore
...where you can specify and values instead of "JohnDoe" and "demoCertStore".
Now you can use the below code to access certificates from the local certificate store:
public class Program
{
static void DumpBytes(string title, byte[] bytes)
{
Console.Write(title);
foreach (byte b in bytes)
{
Console.Write("{0:X} ", b);
}
Console.WriteLine();
}
static void Main(string[] args)
{
// This will convert our input string into bytes and back
var converter = new ASCIIEncoding();
// Get a crypto provider out of the certificate store
// should be wrapped in using for production code
var store = new X509Store("someCertStore", StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
// should be wrapped in using for production code
X509Certificate2 certificate = store.Certificates[0];
RSA rsa = (RSA)certificate.PrivateKey;
(certificate.PrivateKey as RSACng)?.Key.SetProperty(
new CngProperty(
"Export Policy",
BitConverter.GetBytes((int)CngExportPolicies.AllowPlaintextExport),
CngPropertyOptions.Persist));
string messageToSign = "This is the message I want to sign";
Console.WriteLine("Message: {0}", messageToSign);
byte[] messageToSignBytes = converter.GetBytes(messageToSign);
// need to calculate a hash for this message - this will go into the
// signature and be used to verify the message
// Create an implementation of the hashing algorithm we are going to us
// should be wrapped in using for production code
DumpBytes("Message to sign in bytes: ", messageToSignBytes);
HashAlgorithm hasher = new SHA1Managed();
// Use the hasher to hash the message
byte[] hash = hasher.ComputeHash(messageToSignBytes);
DumpBytes("Hash for message: ", hash);
// Now sign the hash to create a signature
byte[] signature = rsa.SignHash(hash, HashAlgorithmName.SHA1, RSASignaturePadding.Pss);
DumpBytes("Signature: ", messageToSignBytes);
// Now use the signature to perform a successful validation of the mess
bool validSignature = rsa.VerifyHash(hash: hash,
signature: signature,
hashAlgorithm: HashAlgorithmName.SHA1,
padding: RSASignaturePadding.Pss);
Console.WriteLine("Correct signature validated OK: {0}", validSignature);
// Change one byte of the signature
signature[0] = 99;
// Now try the using the incorrect signature to validate the message
bool invalidSignature = rsa.VerifyHash(hash: hash,
signature: signature,
hashAlgorithm: HashAlgorithmName.SHA1,
padding: RSASignaturePadding.Pss);
Console.WriteLine("Incorrect signature validated OK: {0}", invalidSignature);
Console.ReadKey();
}
You can avoid the code that is setting the export policy altogether by simply creating the certificate with the export policy already being correct. I used the New-SelfSignedCertificate PowerShell utility to create a certificate that was exportable from inception.
PS C:>New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\" -Subject "CN=JUSTIN" -KeyExportPolicy Exportable
This negates the need for:
(certificate.PrivateKey as RSACng)?.Key.SetProperty(new CngProperty("Export Policy", BitConverter.GetBytes((int)CngExportPolicies.AllowPlaintextExport),CngPropertyOptions.Persist));
I am working on a project where I need to use a "public key" to encrypt a message using RSA algorithm. I was provided with a certificate and my first thought was to use Public Key from that certificate and after investigation I learned I need to use RSACryptoServiceProvider for encryption.
I have checked msdn and only method I thought I should use is RSACryptoServiceProvider.ImportCspBlob(byte[] keyBlob).
When I tried to use public key exported from certificate I was getting an error that the header data for certificate is invalid.
I know I can cast X509certificate2.PublicKey.Key to RSACryptoServiceProvider but from what I understood from my client is that going forward I will be given only a public key and not the certificate. This key will have to be saved in .xml configuration file.
So to summarize: Is there a way to generate an RSACryptoServiceProvider given only a certificate's public key?
You can try to look at this example: RSA public key encryption in C#
var publicKey = "<RSAKeyValue><Modulus>21wEnTU+mcD2w0Lfo1Gv4rtcSWsQJQTNa6gio05AOkV/Er9w3Y13Ddo5wGtjJ19402S71HUeN0vbKILLJdRSES5MHSdJPSVrOqdrll/vLXxDxWs/U0UT1c8u6k/Ogx9hTtZxYwoeYqdhDblof3E75d9n2F0Zvf6iTb4cI7j6fMs=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>";
var testData = Encoding.UTF8.GetBytes("testing");
using ( var rsa = new RSACryptoServiceProvider(1024))
{
try
{
// client encrypting data with public key issued by server
//
rsa.FromXmlString(publicKey);
var encryptedData = rsa.Encrypt(testData, true);
var base64Encrypted = Convert.ToBase64String(encryptedData);
}
finally
{
rsa.PersistKeyInCsp = false;
}
}
You are OK and following a good typical pattern. The Sender of the data does not need the private key.
The following may confirm some of the code you already have figured out.
The one line where I set the private key for the receiver/decoder I left out.
I took this from a test case I have in my build deploy stuff.
byte[] certBytAr; // This is the certificate as bianry in a .cer file (no private key in it - public only)
X509Certificate2 cert2 = new X509Certificate2(certBytAr);
string strToEncrypt = "Public To Private Test StackOverFlow PsudeoCode. Surfs Up at Secret Beach.";
byte[] bytArToEncrypt = Encoding.UTF8.GetBytes(strToEncrypt);
RSACryptoServiceProvider rsaEncryptor = (RSACryptoServiceProvider)cert2.PublicKey.Key;
byte[] dataNowEncryptedArray = rsaEncryptor.Encrypt(bytArToEncrypt, true);
// done - you now have encrypted bytes
//
// somewhere elxe ...
// this should decrpyt it - simulate the destination which will decrypt the data with the private key
RSACryptoServiceProvider pk = // how this is set is complicated
// set the private key in the x509 oobject we created way above
cert2.PrivateKey = pk;
RSACryptoServiceProvider rsaDecryptor = (RSACryptoServiceProvider)cert2.PrivateKey;
byte[] dataDecrypted = rsaDecryptor.Decrypt(dataNowEncryptedArray, true);
Console.WriteLine(" encrypt 1 Way Intermediate " + BitConverter.ToString(dataDecrypted));
string strDecodedFinal = Encoding.UTF8.GetString(dataDecrypted);
if (strDecodedFinal == strToEncrypt)
{
}
else
{
Console.WriteLine(" FAILURE OF ENCRYPTION ROUND TRIP IN SIMPLE TEST (Direction: Public to Private). No Surfing For You ");
}